Hi, i’ve recently setup a debian 11 machine running suricata in IPS inline mode, it do have 2x 1 Gbps eth ports and setup inline between those, i noticed that while suricata is running the machine is not able to resolve hostname even like google, but if i run without suricata it is capable of resolving everything, why running suricata prevent machine from “talking” to dns servers?
Still no answers, anyway im trying to figure out why debian 11 is not able to gather dns information while running suricata.
I don’t have an answer at the moment. But can you tell us if your using nfq or af-packet for IPS? Also, can you try with no rules loaded?
using af-packet and even with no rules still cant resolve names
What version are you using and can you share the config?
Also what interfaces are used on the system, is the one for the default routing of the system one of those used for suricata?
I dont know why but if i use local dns resolver that are “behind” sureicata they dont work while suricata running, but if i use public dns (Eg. 8.8.8.8) they work even if suricata is running
Suricata version is 6.0.3, yes suricata is using all of available interfaces (2x Gig eth), i will upload suricata.yam as soon as possible
Suricata appears to be blocking port 53 (either in- or outgoing) on your server.
Have you added any special rules?
Have you created/updated “drop.conf”?
What does “fast.log” show? Are packets to port 53 being dropped?
As Suricata creates the bridge when using AF-PACKET between the 2 interfaces, nothing should work when Suricata is not running, unless you have another application performing the bridge (the copying of packets from one interface to another). You might have to describe your topology more. Like where are the DNS servers in relation to the machine running Suricata, and in relation to the machines behind by Suricata.